1.3.1 Object-Based Perspective

The object-based perspective shows that the protocol uses five main object abstractions: a server object, a domain object, a group object, an alias object (alias is a group type), and a user object. A client obtains a handle (an RPC context handle) to one of these objects and then performs one or more actions on the object.

The following is a brief listing of methods that operate on each object type.

Server Object:

• SamrSetSecurityObject

• SamrQuerySecurityObject

• SamrEnumerateDomainsInSamServer

• SamrOpenDomain

• SamrLookupDomainInSamServer

• SamrCloseHandle

Domain Object:

• SamrSetSecurityObject

• SamrQuerySecurityObject

• SamrLookupNamesInDomain

• SamrLookupIdsInDomain

• SamrEnumerateGroupsInDomain

• SamrEnumerateUsersInDomain

• SamrEnumerateAliasesInDomain

• SamrOpenGroup

• SamrOpenAlias

• SamrOpenUser

• SamrQueryInformationDomain

• SamrQueryInformationDomain2

• SamrCreateGroupInDomain

• SamrCreateAliasInDomain

• SamrCreateUserInDomain

• SamrCreateUser2InDomain

• SamrSetInformationDomain

• SamrGetAliasMembership

• SamrGetDisplayEnumerationIndex

• SamrGetDisplayEnumerationIndex2

• SamrQueryDisplayInformation

• SamrQueryDisplayInformation2

• SamrQueryDisplayInformation3

• SamrCloseHandle

• SamrRemoveMemberFromForeignDomain

• SamrRidToSid

Group Object:

• SamrSetSecurityObject

• SamrQuerySecurityObject

• SamrQueryInformationGroup

• SamrSetInformationGroup

• SamrDeleteGroup

• SamrAddMemberToGroup

• SamrRemoveMemberFromGroup

• SamrGetMembersInGroup

• SamrCloseHandle

• SamrSetMemberAttributesOfGroup

• SamrRidToSid

Alias Object:

• SamrSetSecurityObject

• SamrQuerySecurityObject

• SamrQueryInformationAlias

• SamrSetInformationAlias

• SamrDeleteAlias

• SamrAddMemberToAlias

• SamrRemoveMemberFromAlias

• SamrGetMembersInAlias

• SamrAddMultipleMembersToAlias

• SamrRemoveMultipleMembersFromAlias

• SamrRidToSid

User Object:

• SamrSetSecurityObject

• SamrQuerySecurityObject

• SamrQueryInformationUser

• SamrQueryInformationUser2

• SamrSetInformationUser

• SamrSetInformationUser2

• SamrDeleteUser

• SamrGetGroupsForUser

• SamrChangePasswordUser

• SamrGetUserDomainPasswordInformation

• SamrCloseHandle

• SamrRidToSid

For example, to set a policy that limits the minimum length of passwords to eight characters for all users, a client opens a handle to a domain object and updates the minimum length password policy setting via a parameter field called MinPasswordLength. The call sequence from the client appears as follows (parameter information is removed for brevity):

(a) Send a SamrConnect5 request; receive the SamrConnect5 reply.

(b) Send a SamrOpenDomain request; receive the SamrOpenDomain reply.

(c) Send a SamrSetInformationDomain request; receive the SamrSetInformationDomain reply.

(d) Send a SamrCloseHandle request; receive the SamrCloseHandle reply.

(e) Send a SamrCloseHandle request; receive the SamrCloseHandle reply.

This sequence is expanded in the following brief explanation:

Step (a): Using the network address of a server that implements this protocol, a client makes a SamrConnect5 request to obtain a handle to a server object. This server handle is necessary to obtain a subsequent handle to a domain object.

Step (b): Using the handle returned from SamrConnect5, the client makes a SamrOpenDomain request to obtain a handle to a domain object.

Step (c): Using the handle returned from SamrOpenDomain, the client makes a SamrSetInformationDomain request, setting the MinPasswordLength parameter field to eight.

Steps (d) and (e): The client closes the handles returned from SamrOpenDomain and SamrConnect5 by using SamrCloseHandle. These steps release server resources associated with the handle; the order in which the handles are released is not important.

Section 4.1 provides an additional example.